IT security incident detected! Now what?

As a Security Officer in a big public company you are responsible to protect the company’s business against damage caused by security incidents wether deliberately or accidentally.  You have implemented many security controls in your network and you make sure that staff are aware and committed to security policies. Your Information Security Management System (ISMS) is fully compliant to industry standards, regularly audited and improved based on risk assessments. And the plan, do, act and check quality improvement processes have been implemented.

You have everything under control and you can sit back and spend your holiday free from stress, even while criminal hackers are trying to break your defense systems to get your companies valuable data.

But, no, being an experienced Security Officer you are not that naïve. You know that security incidents are increasing, despite a rise in preventative measures. A recent Symantec report concludes that in 2013 there was an increase of 91% in targeted attacks, a 62% increase in the number of breaches and a staggering 553 million+ identities were exposed as a result of security incidents.

Security experts say a breach is unavoidable and it will happen to you sooner or later, despite the defense measures you have taken.

Are you prepared when a breach happens at your company and confidential data is exposed? An exposure which could include sensitive data from your customers or personal data belonging to people trusting your organization? What do you do when such an incident happens? Do you have a plan to deal with this, are your people aware of this plan and have you practiced it with them?

Create a Security Incident response Plan

Having a security incident response plan is mandatory to reduce damage where possible and to find the root cause of the security incident, and to document the weakness in your ISMS.  A valuable resource to help develop a security incident plan is the Computer Security Incident Handling Guide published by the National Institute of Standards and Technology (NIST).

Depending on how your organization is structured, the incident response team may be led centrally or distributed over multiple locations or even (partly) outsourced. You may have a dedicated response team that is always available or a part-time team that is contacted quickly when an incident occurs.

In all cases, the team must at least consist of the following functions and include an overall coordinator that acts as a single point of contact to the organizational management;

Business Information owners who are responsible for the data that is breached or under attack will be responsible for determining the impact and which business partners may be affected. Typically this could be members from a sales and/or business operational entity.

Security Officer and IT Operational management must know the technical environment, applications, incident response procedures and any policies that may apply. They will be responsible to limit or even stop the breach by applying technical measures and activating security procedures. Most likely this team, together with the Legal Department, will have to liaise with the third party forensic investigator.

Legal Department responsible for ensuring that any action done is compliant with applicable laws and regulations. Any evidence collection directives and possible prosecutions and lawsuits must be managed by legal.

Communications department or Public Affairs department that acts as the single point of contact between the organization and the outside world for press and business relations.

Facilities Management must be involved when a security breach is caused by a physical attack. Facilities Management may also grant access to any physical room or area in order for the appropriate security response team members to do their work.

Human Resources may assist in case an employee is involved, deliberately or accidently, with the attack or security breach. 

Business Continuity Planning team: Last but not least, the BCP team that is responsible for acting upon high impact incidents. This team is specialized to minimalize operational disruption during severe impact incidents and may help to restore systems and data where needed.

A Security Incident Response  plan should at least have the following main steps:

Inform your key staff and ensemble an emergency response team as soon as the incident has been detected. During an incident the first minutes and hours are key and most important in order to find the cause and to limit the damage.

Don't panic!

If you see an attack going on in your systems and want to stop this, do not just switch off equipment as you may destroy valuable evidence stored in RAM or in log files that may be discarded after powering off a device. Do not panic and just break, or better, limit the connection(s) between the attackers and the resources they are trying to access. Contact your network provider as they can help you selectively close down connections without harming the operational systems. If possible, try to contain the attacker in a sandbox environment without warning him.  Any action to stop the attack should focus on isolating the attacker and, when possible, trying to keep your operational  systems online by configuring specific access control lists or firewall rules.

It is essential that you engage a certified third party digital forensic investigator in order to secure traces and forensics of the attack, if needed, they can also help you to mitigate an ongoing attack. They will have response teams available 24 hours. Be aware that only evidence they collect may be usable in court afterwards. When your company is bound to legislation for Sarbanes Oxley, HIPAA and other regulations, it must perform digital investigations after a security incident in order to stay compliant.

Inform your customers

It will be a painful call but informing your customers and suppliers is mandatory to maintain a good working relation. Hiding facts doesn't work and things will only be worse when the truth gets out which, sooner or later, it will.  In most cases a mutual understanding and adopting a “common enemy” approach by working together with your customers to overcome a crisis may even strengthen your relationship.

Be pro-active with the press

Be very pro-active and cooperative to quality press when they appear at your door step. Be aware of journalists and news channels that are looking for sensational,  over-hyped stories adding editorial bias in their pieces in order to increase attention in low-quality mass media. Instruct your staff not to talk to the press when they are approached and make sure they re-direct questions to your assigned communications officer. One message to the outside world is key and only when facts are clear and validated. Choose a qualitative and reliable press communication channel to work with.

Involve your legal team

Involve your legal team to follow applicable telecom laws and electronic privacy directives that dictate openness and data breach notifications to the appropriate institutes.

Create and practise runbooks for each scenario

There are many examples of security incidents such as DoS attacks, lost or stolen data, employee misstakes, illegal connections to your data/networks, worms, trojans or viruses in your network. Please keep in mind that all those incidents require a different approach. It is recommended to develop run books for each attack category and dry practice those scenarios regularly with the team.

A security incident is not finished before doing an evaluation where all steps are investigated and lessons learned can be converted into ISMS improvements.

Is your organization prepared for a major security breach?

Marcel van Wort

Marcel is the Managing Consultant specialized in Information Security and Green IT at Orange Business with more than three decades of experience in ICT. He is an active member of the Orange Green Act program committed to achieve Green IT, sustainability and CSR goals at Orange Business and help our customers with their digital sustainability transition. Marcel likes mountain biking and is on a mission to develop ways to use CO2-neutral bio-fuels in motorsports while racing the Dakar Rally 2023.